Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Need help with iptable rules
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Mon Nov 21, 2016 2:00 pm    Post subject: Need help with iptable rules Reply with quote

At the moment i have iptables:

Chain input accept
Chain forward accept
Chain output accept

I am used to ufw and unkown with iptables how do i:

BLOCK ALL IN AND OUT traffic + only allow: port 443tcp/udp + 53tcp/udp + 80/tcp + 8080/tcp + 873/tcp
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1560
Location: KUUSANKOSKI, Finland

PostPosted: Mon Nov 21, 2016 2:34 pm    Post subject: Reply with quote

I've always thought iptables is a mess and I still do. But I think it's important to learn it to be able to configure firewall in any linux.
So... I think you need to create one long rule... With multiport module maybe.
Code:
/sbin/iptables -A INPUT -m state --state NEW -p tcp !--dport 80 -j DROP
... would drop all outcomming connections that aren't going to tcp port 80. I have something along the line of that on my server which is now disconnected and powered off since I'm doing some service on the rack cabinet. Therefore I cannot check the exact lines.

man iptables:
--destination-ports port[,port[,port...]]
              Match if the destination port is one of the  given  ports.   The
              flag --dports is a convenient alias for this option.
... to get you started. Remember to use "!" to drop all BUT the connectios going out to the listed ports.

I hope this helps.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Mon Nov 21, 2016 3:04 pm    Post subject: Reply with quote

Thank you for the post, but i just finished creating ip tables rules

On ufw it is possible to block IN and OUT and allow for example only port 53 OUT, and leave 53 IN blocked

Strange that on iptables i just tested it seems you need both 53 IN + OUT

Also what is the FORWARD chain used for i have no idea
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2660

PostPosted: Mon Nov 21, 2016 3:34 pm    Post subject: Reply with quote

Have you seen that sample script in the wiki?
It first flushes (-F), deletes (-X) and zeroes (-Z) the chains, then pots policies (DROP or ACCEPT) on them. Then comes what you explicitely allow.
Regarding the FORWARD chain, you only need it for servers, not for clients.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14185

PostPosted: Tue Nov 22, 2016 3:05 am    Post subject: Reply with quote

ufw is a frontend to manage the kernel's netfilter rules. It can only do things that the kernel supports. iptables is a tool to directly manage the rules in the kernel. Anything you can do in ufw can, with the right iptables rule, be done using only iptables. Zucca's advice, though well intentioned, will not scale correctly. Rules are first-match-wins, so if you write a rule to DROP all non-80 traffic, then a rule to DROP all non-53 traffic, then you are dropping all traffic because all 80 traffic is non-53 traffic.

The correct approach is the one hinted at by charles17. Use a policy of DROP and whitelist the specific ports and interfaces you want to allow. Note that the wiki script he pointed you to is a dangerous idea. It updates the rules in a non-atomic manner. Despite this, you will frequently find people telling you to use a script that performs non-atomic updates because it works fine, until it blows up in your face. :) On the positive side, the Wiki page he cites does hint that you should use the initscript to save/restore the rules, which is better advice than I usually see from people who advocate using a bash script to load rules. If you are in a hurry, use such a script to load the rules once, then proofread and do appropriate testing on the loaded rules. When you are happy, save the rules using the initscript and rely on it to load them on next boot, not the bash script.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum